Opening a portable document format (PDF) attachment is a mundane action that most computer users around the world don’t think about too often. These days, however, e-mail users may want to think twice before opening a PDF document with Adobe Reader or Adobe Acrobat, the two most widely-used applications for PDF files.
Technology news media outlets are reporting the propagation of a zero-day exploit that takes advantage of a potential security flaw in Adobe Reader 11.01 and all previous versions. In the case of the full Adobe Acrobat program, versions XI and below may also be compromised. According to global network security company FireEye, the zero-day exploit was detected on Tuesday, February 13th, 2013. The Adobe Product Security Incident Response Team also posted an advisory on the exploit.
The PDF Zero-Day Exploit Mechanism
As is the case with most zero-day exploits, this malware attack arrives via an unsuspecting email source. The message will contain a PDF attachment and an invitation to open it. Computer users who have set their Adobe software to open PDF documents by default will see a sham error message that indicates a problem with a dynamic link library (DLL) file. The malware will then open a PDF document that serves as a distraction or smokescreen to execute a DLL that connects the host computer with a remote server.
The targeted computer user will more than likely dismiss the PDF attachment and the email as spam or as an incorrectly routed message. What the user does not suspect is that a callback script has been installed and that there is an open connection with a remote computer that may be recording keystrokes or performing other nefarious function. It is also likely that the host computer may become part of a botnet to propagate spam across the Internet.
Bypassing the Sandbox
A couple of years ago, Adobe released a major security upgrade to its PDF applications. The Adobe sandbox is a protective environment that opens documents in a way that no information is written to the hard drive and that no malicious scripts are executed. The latest update from Adobe indicates that users should be on the alert when they receive any suspicious emails that prompt them to open PDF attachments since the zero-day exploit may bypass the sandbox. Users of Adobe products should also upgrade their software versions and manually enable Protective View.
This article was submitted by Justin Garner, a blogger for CLEAR internet packages. He enjoys writing about current events, entertainment and computer networking.